Version 7.17.1
Detection Improvements
We have made enhancements to the detection of
- LLADOC-549, LLFILE-400, MALS-2528: URLs in Internet Shortcut files.
- LLFILE-395: data embedded in Microsoft Office Spreadsheet-ML files.
- LLFILE-399, MALS-2539: data embedded in Microsoft Office Presentation-ML files.
- ANREV-3981: memory scraper tools.
- SIGLOGSCAN-257: ability to scan network over a specific port.
- SIGLOGSCAN-255: ability to use cryptography APIs.
- SIGLOGSCAN-251: ability to shut down/restart the system.
- SIGLOGSCAN-248: evasions using the presence of WINE.
- SIGLOGSCAN-232: doppelgaenger code injection.
- SIGLOGSCAN-247: user-mode APC code injection.
- SIGLOGSCAN-230: ability to take screenshots.
- SIGLOGSCAN-199: ability to inject code into remote process.
- LLAM-3331: cryptojacking behavior.
- LLAM-3426: launching Windows internal processes from browsers.
- LLAM-3408: JS Spectre attacks.
- ANREV-4409: XMRigMiner samples.
- LLADOC-533: accessing remote OLE resources.
- SIGREPSCAN-434 accessing non-existing domains.
- SIGREPSCAN-431: deleting Windows backups.
- SIGREPSCAN-316: clearing Windows event logs.
- SIGREPSCAN-407: suspicious, repetitive network communication.
- SIGREPSCAN-408: self-deletion via script files.
- SIGREPSCAN-439: CVE-2017-11882 in Microsoft Office Presentations.
- SIGREPSCAN-403: Powershell downgrade attacks.
- SIGREPSCAN-430: anomalous execution of JAR files.
- SIGREPSCAN-428: modifying network settings.
- SIGREPSCAN-423: anomalous execution of PowerShell commands.
and improved the reliability of
- LADOC-537, LLADOC-543: extracting of Ole-10-native files from Microsoft Office documents.
- LLADOC-542: parsing RTF files.
- LLADOC-551: parsing of invalid XML.
- LLADOC-544: parsing DDE commands from Microsoft Office documents.
- LLADOC-532: parsing large document files containing duplicate streams.
- LLFILE-380: file type classification for non-Office files using OpenXML file format.
- LLFILE-393: extracting files from partially-corrupted 7z archives.
- LLADOC-510, LLADOC-545, LLADOC-550: AST parsing of VB macro code embedded in Microsoft Office documents.
- LLAM-3137, LLAM-3345: AST parsing of in-memory blocks of code.
- LLFILE-396: parsing base64 archives.
- MALS-2472, MALS-2477: processing large archive files.
- ANREV-4507, SIGREPSCAN-424: identifying trusted installer packages.
- ANREV-4405: identifying anomalous behavior triggered by Microsoft Windows Error Reporting.
- SIGREPSCAN-418: identifying type-confusion attacks.
Bug Fixes and Improvements
- MALS-2523: Improved detection of suspicious web pages hosted on compromised websites.
- MALS-2509: Better documentation for "No IOC extractable" error in the Lastline Analyst API.
- MALS-2473: More reliable generation of document-structure analysis reports.
- MALS-2257: Better validation of OpenXML-based file types in the Lastline Analyst API.
Deprecation of API methods
All methods of the legacy API (/ll_api/ll_api) have been deprecated.
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:
- Lastline Analyst version 840
and for Lastline Detonator On-Premises:
- Lastline Manager version 840
- Lastline Engine version 840
Released sandbox images versions
The sandbox images version is now updated to 2018-01-17-01.
Distribution Upgrade
As of version 7.16, support for Ubuntu Precise as the underlying operating system distribution has been discontinued. Before upgrading to version 7.16 or later, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.
Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.
For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.
